An ISN(initial sequence number) bug?
Huang, Yusheng
yusheng.huang at bluecoat.com
Mon Aug 13 13:36:22 PDT 2007
Hi,
I think there is a bug in the tcp_isn_tick() function.
1477 static void
1478 tcp_isn_tick(xtp)
1479 void *xtp;
1480 {
1481 u_int32_t projected_offset;
1482
1483 INP_INFO_WLOCK(&tcbinfo);
1484 projected_offset = isn_offset_old + ISN_BYTES_PER_SECOND /
100;
1485
1486 if (projected_offset > isn_offset)
1487 isn_offset = projected_offset;
1488
1489 isn_offset_old = isn_offset;
1490 callout_reset(&isn_callout, hz/100, tcp_isn_tick, NULL);
1491 INP_INFO_WUNLOCK(&tcbinfo);
1492 }
If isn_offset is close to the 4G boundary, the projected_offset is
likely to overflow the 4G value so the unsigned comparison at line#1486
will not be true and isn_offset will not be incremented by the
tcp_isn_tick() for a very long long time.
-yusheng
More information about the freebsd-net
mailing list